Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Google's penchant for publicly calling out the security failures of other vendors has recently come back to haunt it as two IT industry rivals have sounded the alarm about two of the search giant's Online services.

This week Symantec and Microsoft—companies that Google has previously cited for security vulnerabilities—issued their own disclosures to make about problems they discovered on Google's products and services.

In a blog Oct. 18 Symantec said it had found at least eight Android applications on Google Play that were infected with a malware dubbed Sockbot that is designed to add compromised systems to a botnet.

The applications purported to help users modify the appearance of characters in the Minecraft Pocket Edition video game. But when users downloaded the apps, it would silently connect to a remote malicious server and add the device to a botnet that among other things could be used to launch distributed denial of service attacks, the security vendor said.

Further reading

Between 600,000 and 2.6 million users primarily in the United States and to a lesser extent in Russia, Germany, Brazil and Ukraine may have downloaded the malware on their devices, the security vendor said. Google has removed the applications after Symantec informed the company about the issue.

The disclosure is the latest in a string of similar warnings that multiple security vendors have issued just this year about malware on Google's supposedly secure mobile app store.

Google has touted several measures it has implemented to detect and block malicious applications on Google Play and to prevent them from running on Android devices. But the continuing ability of threat actors to get their malware on Google's app store and infect millions of Android devices suggests the company's work in this regard is still in progress.

In what appears to be a new attempt to address the issue, Google on Oct. 19 announced a bug bounty program that will reward selected security researchers up to $1,000 for finding certain types of vulnerabilities in Android apps.

The "Google Play Security Reward Program" is designed to motivate security research into popular Android apps on Google Play, the company announced Thursday. The developers of popular Android applications on Google Play are being asked to opt-in to the program and to allow security researchers to probe their software for certain vulnerabilities. Bug bounty coordinating firm Hacker One will manage the new program.

Meanwhile, in a separate and lengthy post on the Windows Security Blog Oct. 18, a member of Microsoft's security team described its discovery of a remote code execution vulnerability in Chrome and chided Google's handling of the disclosure. "We responsibly disclosed the vulnerability that we discovered along with a reliable [Remote Code Execution] exploit to Google on September 14, 2017," wrote Jordan Rabet, a member of the Microsoft security team.

A fix for the problem was available in a beta version of Chrome within four days. But then Google made the source code for the fix publicly available on the GitHub repository even before it had been pushed to Chrome users. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to [GitHub]. That is more than enough time for an attacker to exploit it," Rabet said.

Microsoft and Google have had at least one previous public run-in over bug disclosures. In October 2016 Google security researchers publicly disclosed the details of a zero-day bug in Windows before Microsoft had released a patch for it.

At the time, Google's security team said it had decided to do so—after giving Microsoft seven days to fix the issue—because the bug was already being actively exploited. Microsoft had called that decision 'disappointing' and criticized Google for not following responsible disclosure policies.

In an apparent reference to that incident Rabet this week noted: " Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers."

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.